Communication channels between the incident response team and the rest of the organization Metrics for evaluating the efficiency of incident response The benefits of an incident response plan don't end when a cybersecurity incident is resolved. The plan continues to provide support for litigation, documentation to submit to auditors, and historical knowledge that enables a better response to similar incidents in the future. A standard incident response plan that may be implemented by an organization includes the following steps: Step 1: Early detection A security event occurs, and the system detects it. Typically, the security information and event management (SIEM) platform alerts the incident response team. Step 2: Analysis Analysts review alerts, identify indicators of compromise (IoC), and use them to triage the threat. They will often perform additional testing, reviewing related alerts and ruling out false positives to get a complete picture of suspicious events. Step 3: Prioritization Analysts need to understand the impact of security incidents on the organization’s business activity and valuable assets. Prioritizing incidents helps a team understand which security events to focus on, and how to best manage resources in subsequent steps. Step 4: Notification First, the incident responder notifies the appropriate people within the organization. In case of a confirmed breach, organizations typically notify external parties, such as customers, business partners, regulators, law enforcement agencies, or the public. The decision to notify external parties is usually left to senior management. Step 5: Containment and forensics Incident responders take action to stop the incident and prevent the threat from reinfecting the environment. They also collect forensic evidence as needed for further investigation or future legal proceedings. Step 6: Recovery Incident responders eradicate malware from affected systems, then rebuild, restore from backup, and patch those systems to restore normal operation. Step 7: Incident review To prevent an incident from reoccurring and to improve future response, security personnel review the steps that led to the detection of the most recent incident. They identify aspects of successful incident response, opportunities to improve systems (such as tools, processes, and staff training), and recommend remediations for discovered vulnerabilities. Learn more in our detailed guide to incident response steps Some large organizations with significant security expertise have developed incident response frameworks to help organizations create standardized response plans. The National Institute of Standards and Technology (NIST) and the SysAdmin, Auditing, Networking, and Security Institute (SANS) have each developed well-known incident response frameworks. SANS Incident Response FrameworkSANS is a private organization that works to investigate and educate the public on security issues. The SANS framework divides the incident response process into six phases:
SANS also includes an incident response checklist for each step and two templates with system commands to help organizations carry out specific incident response tasks. These templates are available for Windows and UNIX systems. NIST Incident Response FrameworkNIST is a US government agency that develops standards for the technology and security industry. As part of their cybersecurity work, they developed a comprehensive incident response framework. It includes details on creating an incident response plan, establishing an incident response team, building a communication plan, and training scenarios. The framework condenses the six incident response steps used by the SANS framework into four:
NIST considers the containment, eradication, and recovery phases as overlapping. For example, while the system contains threats, an organization should not wait until all threats have been discovered before eradicating the problem. If other threats are present, they should be contained and eliminated as soon as possible. Also, recovery is not a strictly defined step but a process that depends on the prioritization and content of the assets being recovered. Learn more in our detailed guide to incident response NIST Developing an incident response plan can be difficult. Using one of the following templates provides structure and direction for this task:
An incident response playbook provides teams with standard steps and procedures for responding to and resolving incidents in real time. Playbooks can also include peacetime training and exercises to prepare the team for the next event. Playbooks are an integral part of DevOps and IT Ops incident management and cybersecurity. They help teams handle unplanned outages and restore systems to order, and their organizational policies and practices ensure a consistent response to incidents and security threats. A playbook typically contains the following elements:
Incident response teams are groups of IT professionals who prepare for and respond to cyber attacks. An incident response team's responsibilities include developing a proactive incident response plan, testing and resolving system vulnerabilities, maintaining strong security best practices, and providing support for all incident handling actions. Incident response team members typically have varied skills, backgrounds, and roles, so they can prepare for a range of security incidents. The specific skill set of organizations’ incident response teams may differ because companies have different personal risk profiles and business processes. In general, the core functions of incident response team members are:
There are several types of tools that are useful for incident response: Security Orchestration, Automation, and Response (SOAR)SOAR refers to platforms that offer tools for collecting security data from various sources. A SOAR solution may combine machine learning and human input to analyze the data to extract insights and prioritize the relevant incident response procedures. SOAR software typically includes three capabilities:
User and Entity Behavior Analytics (UEBA)UEBA solutions use large datasets and machine learning to establish baselines for typical behavioral patterns, allowing them to identify atypical behavior within the network, which may indicate threats. The emphasis on suspicious behavior allows UEBA to detect threats that can evade traditional security and antivirus tools, including non-malware-based attacks. UEBA uses behavioral models to assess threat levels, providing risk scores to guide the response process. Security Information and Event Management (SIEM)SIEM is a security management approach that provides a unified system to combine information and event management functions. SIEM solutions deploy multiple data collection agents to hierarchically collect event data from servers, end-user devices, and network infrastructure. A central management console consolidates the data, allowing security analysts to filter the noise and prioritize real security incidents. Endpoint Detection and Response (EDR)EDR systems collect and analyze endpoint security data to protect the network from vulnerable user devices and workstations. EDR aims to detect security breaches in real time, enabling rapid response. This approach helps identify emerging and advanced threats that traditional security tools might not. The specific capabilities of each EDR solution may vary significantly. Extended Detection and Response (XDR)XDR solutions are SaaS tools for detecting security threats and implementing incident response procedures. XDR tools integrate several security capabilities in a unified security operations solution, making sophisticated incident response capabilities more accessible and affordable. The advantage of XDR is its consolidation of multiple security products building on EDR capabilities. It can improve the productivity of security operations with enhanced detection and response and centralized visibility and control across enterprise environments. XDR tools ingest and distill multiple telemetry streams and analyze threat vectors and tactics. They help speed up response efforts by handling the detection and investigation processes. Learn more in our detailed guide to incident response tools Incident response is most effective when undertaken quickly by experienced responders. Organizations often lack the resources to maintain a full incident response team that is active 24 hours a day. One option is to work with an external organization that provides professional incident response services. Engaging with these organizations provides the following benefits:
|